@pleri/olam-cli 0.1.157 → 0.1.159

package/host-cp/k8s/manifests/50-deployment.yaml

@@ -18,38 +18,30 @@
 #     before the main container starts, granting UID-1000 write access on the
 #     freshly-provisioned PV. fsGroup alone is insufficient for hostPath volumes.
 #
-#   docker-sock (/var/run/docker.sock): two-volume pattern for colima+k3d.
-#     R3-A fix (v0.1.156+): k3d MUST be created with a parent-directory bind
-#     (not a socket-file bind) so colima's socket is correctly visible inside
-#     the k3d node. The operator command is:
+#   docker access — NO LONGER VIA hostPath (changed in olam-k3d-on-mac-
+#     substrate-decision Phase B B2, 2026-05-21). The previous R3-A two-volume
+#     hostPath pattern is retracted: round-4 R4-W2-F showed virtiofs returns
+#     ENOTSUP on stat/statx of socket files, and that failure is unrecoverable
+#     at the containerd OCI runtime layer. host-cp now reaches docker via TCP
+#     through the docker-socket-proxy ExternalName Service in the olam
+#     namespace (packages/host-cp/k8s/manifests/docker-socket-proxy/60-service.yaml),
+#     which kube-dns resolves as a CNAME to host.k3d.internal. The actual
+#     proxy container runs on the operator's docker daemon (sibling to k3d),
+#     started by `olam upgrade` Step 0.7. See also
+#     packages/host-cp/src/lib/docker-request-options.mjs (both substrates now
+#     return identical TCP options).
 #
-#     k3d cluster create olam-host \
-#       --volume $HOME/.colima/default/:/host-colima/@server:* \
-#       --volume ~/.config/gh:/host/.config/gh \
-#       --wait --timeout 90s
-#
-#     This mounts the entire colima directory into the k3d node at /host-colima/.
-#     The docker socket appears at /host-colima/docker.sock inside the node.
-#     The Deployment then uses:
-#       - host-colima volume (type: Directory) for the init container chmod
-#       - docker-socket volume (type: Socket, source /host-colima/docker.sock)
-#         for the main container /var/run/docker.sock mount
-#
-#     An init container (socket-perm) runs `chmod 666 /host-colima/docker.sock`
-#     as root BEFORE the main container starts. This grants the non-root main
-#     container (UID 1000) read+write access to the daemon socket.
-#     Deliberate platform-permission concession — see Decision #15.
-#     R3-A: init container mounts host-colima (directory) and runs chmod on the
-#     socket file inside it. No symlink init container needed — empirically
-#     verified in plan pass-2 on kuro-bear 2026-05-20.
+#     The operator's k3d cluster create command is therefore simpler — no
+#     `--volume $HOME/.colima/default/:/host-colima/@server:*` flag needed.
+#     See docs/operator/kubernetes-substrate-beta.md for the current install
+#     command.
 #
 #   gh-config (/gh-config) and operator-repo (/operator-repo) remain hostPath
 #   volumes that resolve to paths inside the k3d node container.
-#   OPERATORS MUST pass these volume mounts when creating the k3d cluster (see
-#   the k3d command above). Without these flags the gh-config and operator-repo
-#   mounts will be empty. The pod will still start — features that depend on
-#   GitHub auth or the operator repo will fail gracefully. The Phase D install
-#   guide surfaces this requirement prominently.
+#   OPERATORS MUST pass these volume mounts when creating the k3d cluster.
+#   Without these flags the gh-config and operator-repo mounts will be empty.
+#   The pod will still start — features that depend on GitHub auth or the
+#   operator repo will fail gracefully.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -108,28 +100,18 @@ spec:
           volumeMounts:
             - name: olam-home
               mountPath: /data
-        - name: socket-perm
-          # busybox:1.36 — same sha256-pinned image as chown-data above.
-          # Deliberate platform-permission concession — see Decision #15.
-          # R3-A: runs chmod against /host-colima/docker.sock (the socket path
-          # inside the k3d node after the parent-directory bind). Mounts the
-          # host-colima Directory volume (not the docker-socket Socket volume)
-          # so the entire colima directory is accessible — chmod operates on
-          # the socket file within that directory. 666 (world-rw) is intentional
-          # on a single-tenant operator machine.
-          image: busybox@sha256:73aaf090f3d85aa34ee199857f03fa3a95c8ede2ffd4cc2cdb5b94e566b11662
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            runAsUser: 0
-            runAsNonRoot: false
-            allowPrivilegeEscalation: false
-          command: ["sh", "-c", "chmod 666 /host-colima/docker.sock"]
-          volumeMounts:
-            - name: host-colima
-              mountPath: /host-colima
+        # socket-perm init container REMOVED in olam-k3d-on-mac-substrate-decision
+        # Phase B B2 (2026-05-21). The R3-A two-volume hostPath approach for
+        # docker.sock has been retracted: round-4 R4-W2-F showed virtiofs
+        # ENOTSUP on socket-file stat blocks the mount entirely. host-cp now
+        # reaches docker via TCP through the docker-socket-proxy ExternalName
+        # Service in the olam namespace (see
+        # packages/host-cp/k8s/manifests/docker-socket-proxy/60-service.yaml).
+        # The proxy itself runs on the operator's docker daemon (sibling to
+        # k3d), started by `olam upgrade` Step 0.7 — not inside this Pod.
       containers:
         - name: olam-host-cp
-          image: ghcr.io/pleri/olam-host-cp@sha256:944d4d985d97fc1f90c5f4bcda84602b862c21f881b4e211e699e5daf0c76b79
+          image: ghcr.io/pleri/olam-host-cp@sha256:53c6548f6930231a6f905f4a3ae1f49dbc66e52233b64a09e539b4ffa21180db
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true
@@ -158,8 +140,13 @@ spec:
               readOnly: true
             - name: tmp
               mountPath: /tmp
-            - name: docker-socket
-              mountPath: /var/run/docker.sock
+            # docker-socket volumeMount REMOVED in olam-k3d-on-mac-substrate-
+            # decision Phase B B2. Docker access now goes via TCP to the
+            # docker-socket-proxy ExternalName Service in the olam namespace.
+            # host-cp's `getDockerRequestOptions('kubernetes')` returns
+            # `{ host: 'docker-socket-proxy', port: 2375 }` (collapsed to the
+            # same value as the compose substrate's branch — see
+            # packages/host-cp/src/lib/docker-request-options.mjs).
           readinessProbe:
             httpGet:
               path: /health
@@ -197,23 +184,13 @@ spec:
             type: DirectoryOrCreate
         - name: tmp
           emptyDir: {}
-        - name: host-colima
-          # R3-A — Parent-directory bind for colima+k3d (Decision R3-#1).
-          # k3d is created with: --volume $HOME/.colima/default/:/host-colima/@server:*
-          # The entire colima directory (including docker.sock) mounts at /host-colima/.
-          # Used by the socket-perm init container to chmod the socket file.
-          # type: Directory because the colima directory (not socket) is the source.
-          hostPath:
-            path: /host-colima
-            type: Directory
-        - name: docker-socket
-          # R3-A — Socket file within the colima directory (Decision R3-#1).
-          # Source is /host-colima/docker.sock — the socket file inside the k3d
-          # node's /host-colima directory (set by the colima parent-dir bind).
-          # Mounted at /var/run/docker.sock in the main container so host-cp can
-          # reach the operator's docker daemon without path changes in app code.
-          # The socket-perm init container runs chmod 666 on this path before
-          # the main container starts (Decision #15 — same root-init pattern).
-          hostPath:
-            path: /host-colima/docker.sock
-            type: Socket
+        # host-colima + docker-socket volumes REMOVED in olam-k3d-on-mac-
+        # substrate-decision Phase B B2 (2026-05-21). R3-A's two-volume
+        # hostPath approach is fully retracted: round-4 R4-W2-F demonstrated
+        # virtiofs ENOTSUP on socket-file stat is unrecoverable at the
+        # containerd OCI runtime layer (kubelet bypass via R4-W2-E was
+        # necessary-but-not-sufficient). host-cp now reaches docker via TCP
+        # through the docker-socket-proxy ExternalName Service — see
+        # packages/host-cp/k8s/manifests/docker-socket-proxy/60-service.yaml.
+        # The proxy itself runs on the operator's docker daemon (sibling to
+        # k3d), started by `olam upgrade` Step 0.7 on macOS.

package/host-cp/k8s/manifests/auth-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-auth-service
-          image: ghcr.io/pleri/olam-auth@sha256:8ef7906dba741e0a07994301a4bf223afa7778ce2598ea1af0e96547eed3196c
+          image: ghcr.io/pleri/olam-auth@sha256:d1b13f12d87d5b119d6495214c26d8c8255deb996d37193f3b4fa47363ab9367
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/docker-socket-proxy/60-service.yaml

@@ -0,0 +1,37 @@
+# ExternalName Service for the host-side docker-socket-proxy.
+#
+# Provides in-cluster DNS for pods to reach the host-side proxy
+# container (defined in packages/host-cp/k8s/host-side/docker-socket-proxy.compose.yaml).
+# The Service has NO backing Pod — `type: ExternalName` is a kube-dns
+# CNAME alias to `host.k3d.internal`, the gateway address that k3d
+# auto-provisions inside every node container.
+#
+# Decision #7 (round-4 plan pass 2): Universal across all k8s substrates
+# (macOS+colima+virtiofs, Linux native k3d, WSL2). One codepath; the
+# per-Pod cost of running an in-cluster proxy elsewhere is invisible
+# against the maintenance tax of OS-conditional Service generation.
+#
+# Why ExternalName and not in-cluster Pod with hostPath:
+# the in-cluster Pod would itself need to bind /var/run/docker.sock
+# from the lima VM, hitting the same virtiofs ENOTSUP class that
+# R4-W2-F is. The proxy must live OUTSIDE the k3d cluster, on the
+# operator's colima docker daemon. ExternalName makes that
+# transparent to consumers: host-cp configures
+# { host: 'docker-socket-proxy', port: 2375 } regardless of where
+# the actual proxy container lives.
+apiVersion: v1
+kind: Service
+metadata:
+  name: docker-socket-proxy
+  namespace: olam
+  labels:
+    app: docker-socket-proxy
+    olam.io/component: host-stack
+spec:
+  type: ExternalName
+  externalName: host.k3d.internal
+  ports:
+    - name: tcp-2375
+      port: 2375
+      targetPort: 2375
+      protocol: TCP

package/host-cp/k8s/manifests/kg-service/50-deployment.yaml

@@ -61,7 +61,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-kg-service
-          image: ghcr.io/pleri/olam-kg-service@sha256:bca1a91c078a4cb63809ebe6fb3f91c36c899a57adebefd3dd56c5d09af0a133
+          image: ghcr.io/pleri/olam-kg-service@sha256:e7276f9ea4d359dcb8a0d623e701e290f51c565fc8b6e3c14bea75b1b780d23d
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/mcp-auth-service/50-deployment.yaml

@@ -68,7 +68,7 @@ spec:
               mountPath: /data
       containers:
         - name: olam-mcp-auth-service
-          image: ghcr.io/pleri/olam-mcp-auth@sha256:500901539eca6de84cf873929b4fcabbef1e40d725d456f744679ae8c6c843f5
+          image: ghcr.io/pleri/olam-mcp-auth@sha256:d53a7538ca405f4d8c0c4be67d3961617304f07623839eb0de75f9cd2b47b914
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/k8s/manifests/memory-service/50-deployment.yaml

@@ -70,7 +70,7 @@ spec:
           # bootstrap-placeholder comment + run `npm run refresh:manifest-digests`
           # once ghcr.io/pleri/olam-memory-service has a real published digest.
           # bootstrap-placeholder: pre-publish; refresh after first release
-          image: ghcr.io/pleri/olam-memory-service@sha256:a77779a50d904e78627fb5b09a685220ea995cc8f0df058efcd85caf5c548d94
+          image: ghcr.io/pleri/olam-memory-service@sha256:023bde810b0594829c8aa553b88a64cf53b81b6374085c7a92fb6102450fa3ff
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

package/host-cp/src/metrics.mjs

@@ -0,0 +1,281 @@
+// Phase C Task C3 — hand-rolled Prometheus metrics registry for host-cp.
+//
+// Emits exactly two metric families:
+//   http_requests_total{service,route,method,status_code}  counter
+//   http_request_duration_seconds{service,route,method}    histogram
+//
+// TAXONOMY COMPLIANCE (NON-NEGOTIABLE):
+//   ONLY {service, route, method, status_code} labels allowed.
+//   BANNED: world_id, trace_id, user_id, request_id, operator_id.
+//   world_id surfaces via Prometheus exemplars in Phase D — NOT labels.
+//
+// No external npm deps — Prometheus text exposition is simple enough to
+// produce with template literals. Avoids the prom-client footprint on a
+// host-side service that has no other dependency on metrics tooling.
+
+// ─── Route mapping ────────────────────────────────────────────────────────
+//
+// Raw req.url is a cardinality bomb: every unique URL is a new time series.
+// We normalize dynamic path segments to stable patterns before labelling.
+//
+// RULES (first match wins):
+//   /health                          → /health
+//   /api/bootstrap                   → /api/bootstrap
+//   /metrics                         → /metrics
+//   /api/host-stream                 → /api/host-stream
+//   /api/worlds/{id}/credentials/... → /api/worlds/:id/credentials/:action
+//   /api/worlds/{id}/tunnels/...     → /api/worlds/:id/tunnels
+//   /api/worlds/{id}/pr              → /api/worlds/:id/pr
+//   /api/worlds/{id}/progress        → /api/worlds/:id/progress
+//   /api/worlds (no id)              → /api/worlds
+//   /api/world/{id}/**               → /api/world/:id/*  (proxy routes)
+//   /api/admin/registry/...          → /api/admin/registry
+//   /api/admin/upgrade               → /api/admin/upgrade
+//   /api/admin/world-pr              → /api/admin/world-pr
+//   /api/admin/world-pr/{id}         → /api/admin/world-pr/:id
+//   /api/auth/credentials/...        → /api/auth/credentials
+//   /api/auth/...                    → /api/auth
+//   /api/plan/conversations/{id}/... → /api/plan/conversations/:id
+//   /api/plan/conversations          → /api/plan/conversations
+//   /api/plan/**                     → /api/plan
+//   /api/auth/events                 → /api/auth/events
+//   /api/version/status              → /api/version/status
+//   /api/repos                       → /api/repos
+//   /api/runbooks                    → /api/runbooks
+//   /api/workspaces/match            → /api/workspaces/match
+//   /api/workspaces                  → /api/workspaces
+//   /api/projects                    → /api/projects
+//   /api/processes/**                → /api/processes
+//   /v1/chunks/**                    → /v1/chunks
+//   /v1/worlds/**                    → /v1/worlds
+//   /assets/**                       → /assets (SPA static assets)
+//   (other GET to static paths)      → /static
+//   (unknown)                        → /unknown
+
+/** @param {string} pathname */
+export function pathToRoute(pathname) {
+  // Normalize trailing slash for matching (keep bare / as /)
+  const p = pathname.length > 1 ? pathname.replace(/\/$/, '') : pathname;
+
+  if (p === '/health') return '/health';
+  if (p === '/api/bootstrap') return '/api/bootstrap';
+  if (p === '/metrics') return '/metrics';
+  if (p === '/api/host-stream') return '/api/host-stream';
+  if (p === '/api/auth/events') return '/api/auth/events';
+  if (p === '/api/version/status') return '/api/version/status';
+  if (p === '/api/repos') return '/api/repos';
+  if (p === '/api/runbooks') return '/api/runbooks';
+  if (p === '/api/workspaces/match') return '/api/workspaces/match';
+  if (p === '/api/workspaces') return '/api/workspaces';
+  if (p === '/api/projects') return '/api/projects';
+  if (p === '/api/worlds') return '/api/worlds';
+  if (p === '/api/plan/conversations' || p === '/api/plan/personas') return p;
+  if (p === '/api/admin/upgrade') return '/api/admin/upgrade';
+  if (p === '/api/admin/world-pr') return '/api/admin/world-pr';
+  if (p === '/api/admin/registry') return '/api/admin/registry';
+  if (p.startsWith('/api/worlds/')) {
+    if (p.includes('/credentials/')) return '/api/worlds/:id/credentials/:action';
+    if (p.includes('/tunnels')) return '/api/worlds/:id/tunnels';
+    if (p.endsWith('/pr')) return '/api/worlds/:id/pr';
+    if (p.endsWith('/progress')) return '/api/worlds/:id/progress';
+    return '/api/worlds/:id';
+  }
+  if (p.startsWith('/api/world/')) return '/api/world/:id/*';
+  if (p.startsWith('/api/admin/registry/')) return '/api/admin/registry';
+  if (p.startsWith('/api/admin/world-pr/')) return '/api/admin/world-pr/:id';
+  if (p.startsWith('/api/auth/credentials')) return '/api/auth/credentials';
+  if (p.startsWith('/api/auth/')) return '/api/auth';
+  if (p.startsWith('/api/plan/conversations/')) return '/api/plan/conversations/:id';
+  if (p.startsWith('/api/plan/')) return '/api/plan';
+  if (p.startsWith('/api/processes') || p.startsWith('/api/servers')) return '/api/processes';
+  if (p.startsWith('/v1/chunks')) return '/v1/chunks';
+  if (p.startsWith('/v1/worlds')) return '/v1/worlds';
+  if (p.startsWith('/assets/')) return '/assets';
+  // SPA HTML fallback routes (GET / and SPA sub-routes like /worlds, /plan/...)
+  if (p === '/' || p.startsWith('/worlds') || p.startsWith('/plan') || p.startsWith('/workspaces')) return '/static';
+  return '/unknown';
+}
+
+// ─── In-memory registry ───────────────────────────────────────────────────
+
+const HISTOGRAM_BUCKETS = [0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5];
+
+/** @type {Map<string, number>} labelSet → count */
+const _counters = new Map();
+
+/**
+ * Per label-set histogram state.
+ * @type {Map<string, {buckets: number[], sum: number, count: number}>}
+ */
+const _histograms = new Map();
+
+/** @param {string[]} parts label values in canonical order */
+function _labelKey(parts) {
+  return parts.join('\x00');
+}
+
+/**
+ * Reset all metrics. FOR TESTS ONLY — never call in production code.
+ * Exported as a separate name so it's invisible to consumers that only
+ * import the named exports they need.
+ */
+export function _resetForTest() {
+  _counters.clear();
+  _histograms.clear();
+}
+
+/**
+ * Increment http_requests_total counter.
+ *
+ * @param {string} service
+ * @param {string} route    — MUST be a normalized route pattern
+ * @param {string} method
+ * @param {string} statusCode
+ */
+export function incRequest(service, route, method, statusCode) {
+  const key = _labelKey([service, route, method, statusCode]);
+  _counters.set(key, (_counters.get(key) ?? 0) + 1);
+}
+
+/**
+ * Observe http_request_duration_seconds.
+ *
+ * @param {string} service
+ * @param {string} route
+ * @param {string} method
+ * @param {number} seconds
+ */
+export function observeDuration(service, route, method, seconds) {
+  const key = _labelKey([service, route, method]);
+  let h = _histograms.get(key);
+  if (!h) {
+    // buckets[i] = count of observations where seconds <= HISTOGRAM_BUCKETS[i]
+    // but stored as INCREMENTAL per-range so cumulation happens on render.
+    // Each bucket[i] = count that fell in range (HISTOGRAM_BUCKETS[i-1], HISTOGRAM_BUCKETS[i]].
+    h = { buckets: new Array(HISTOGRAM_BUCKETS.length).fill(0), sum: 0, count: 0 };
+    _histograms.set(key, h);
+  }
+  // Find the first bucket boundary that accommodates this observation.
+  // Increment only that bucket; render accumulates for the exposition.
+  let placed = false;
+  for (let i = 0; i < HISTOGRAM_BUCKETS.length; i++) {
+    if (seconds <= HISTOGRAM_BUCKETS[i]) {
+      h.buckets[i]++;
+      placed = true;
+      break;
+    }
+  }
+  // Observations beyond the last bucket are counted in h.count only;
+  // the +Inf bucket in the exposition equals h.count.
+  if (!placed) {
+    // No bucket captured it — it lands in +Inf only.
+  }
+  h.sum += seconds;
+  h.count++;
+}
+
+// ─── Prometheus text exposition ───────────────────────────────────────────
+
+/** Escape label value per Prometheus text format (backslash, newline, quote). */
+function escapeLabelValue(v) {
+  return String(v).replace(/\\/g, '\\\\').replace(/\n/g, '\\n').replace(/"/g, '\\"');
+}
+
+/**
+ * Build the `{k1="v1",k2="v2",...}` label-set string.
+ * @param {Record<string, string>} labels
+ */
+function labelSet(labels) {
+  const parts = Object.entries(labels).map(
+    ([k, v]) => `${k}="${escapeLabelValue(v)}"`,
+  );
+  return `{${parts.join(',')}}`;
+}
+
+/**
+ * Render the complete Prometheus text exposition.
+ * @returns {string}
+ */
+export function renderMetrics() {
+  const lines = [];
+
+  // ── http_requests_total ─────────────────────────────────────────────
+  lines.push('# HELP http_requests_total Total number of HTTP requests handled.');
+  lines.push('# TYPE http_requests_total counter');
+  for (const [key, count] of _counters) {
+    const [service, route, method, status_code] = key.split('\x00');
+    lines.push(
+      `http_requests_total${labelSet({ service, route, method, status_code })} ${count}`,
+    );
+  }
+
+  // ── http_request_duration_seconds ───────────────────────────────────
+  lines.push('# HELP http_request_duration_seconds HTTP request duration in seconds (histogram).');
+  lines.push('# TYPE http_request_duration_seconds histogram');
+  for (const [key, h] of _histograms) {
+    const [service, route, method] = key.split('\x00');
+    const base = { service, route, method };
+    // Cumulative buckets: le=X must be ≥ sum of all observations ≤ X.
+    let cumulative = 0;
+    for (let i = 0; i < HISTOGRAM_BUCKETS.length; i++) {
+      cumulative += h.buckets[i];
+      lines.push(
+        `http_request_duration_seconds_bucket${labelSet({ ...base, le: String(HISTOGRAM_BUCKETS[i]) })} ${cumulative}`,
+      );
+    }
+    lines.push(
+      `http_request_duration_seconds_bucket${labelSet({ ...base, le: '+Inf' })} ${h.count}`,
+    );
+    lines.push(`http_request_duration_seconds_sum${labelSet(base)} ${h.sum}`);
+    lines.push(`http_request_duration_seconds_count${labelSet(base)} ${h.count}`);
+  }
+
+  lines.push(''); // trailing newline
+  return lines.join('\n');
+}
+
+// ─── Request instrumentation wrapper ─────────────────────────────────────
+
+/**
+ * Wrap an async request handler so every request is instrumented.
+ *
+ * The wrapper:
+ *   1. Derives a stable route pattern from req.url.
+ *   2. Starts a high-resolution timer.
+ *   3. Calls the original handler.
+ *   4. Records counter + histogram using the response's status code.
+ *
+ * Status code capture: we monkey-patch res.writeHead and res.end to intercept
+ * the status before it's sent. Falls back to res.statusCode (which Node sets
+ * implicitly on .end() when no explicit writeHead call was made).
+ *
+ * @param {string} serviceName  — emitted as the `service` label
+ * @param {(req: import('node:http').IncomingMessage, res: import('node:http').ServerResponse) => Promise<void>} handler
+ * @returns {(req: import('node:http').IncomingMessage, res: import('node:http').ServerResponse) => Promise<void>}
+ */
+export function instrumentHandler(serviceName, handler) {
+  return async (req, res) => {
+    const start = performance.now();
+
+    // Intercept status code by wrapping writeHead.
+    let capturedStatus = null;
+    const origWriteHead = res.writeHead.bind(res);
+    res.writeHead = (status, ...rest) => {
+      capturedStatus = status;
+      return origWriteHead(status, ...rest);
+    };
+
+    try {
+      await handler(req, res);
+    } finally {
+      const durationSec = (performance.now() - start) / 1000;
+      const urlObj = new URL(req.url ?? '/', `http://localhost`);
+      const route = pathToRoute(urlObj.pathname);
+      const method = (req.method ?? 'GET').toUpperCase();
+      const statusCode = String(capturedStatus ?? res.statusCode ?? 200);
+
+      incRequest(serviceName, route, method, statusCode);
+      observeDuration(serviceName, route, method, durationSec);
+    }
+  };
+}

package/host-cp/src/server.mjs

@@ -53,6 +53,7 @@ import {
   normalizeName,
 } from './world-names-store.mjs';
 import { createLocalWorldsSource } from './local-worlds-source.mjs';
+import { dispatchTasksRoute } from './tasks-route.mjs';
 import { createPylonWorldsSource } from './pylon-worlds-source.mjs';
 import { composeWorldsSources } from './compose-worlds-sources.mjs';
 import { createWorldPrStateStore } from './world-pr-state.mjs';
@@ -71,6 +72,7 @@ import {
   handleListServers,
   handleServerBridges,
 } from './routes/process-port.mjs';
+import { instrumentHandler, renderMetrics } from './metrics.mjs';
 
 // ── Deployment-mode detection ─────────────────────────────────────
 //
@@ -680,7 +682,10 @@ async function getSecret(worldId) {
 
 // ── HTTP server ──────────────────────────────────────────────────────
 
-const server = http.createServer(async (req, res) => {
+// Phase C Task C3: wrap the raw handler with the Prometheus instrumentation
+// wrapper. Every request increments http_requests_total and observes
+// http_request_duration_seconds before the response is sent.
+const server = http.createServer(instrumentHandler('host-cp', async (req, res) => {
   const url = new URL(req.url ?? '/', `http://${req.headers.host}`);
 
   // /health: fast diagnostics, no auth, no proxying. Docker healthcheck
@@ -717,6 +722,22 @@ const server = http.createServer(async (req, res) => {
     });
   }
 
+  // /metrics: Prometheus text exposition (Phase C Task C3).
+  // Unauthenticated — same rationale as /health: the Prometheus scraper
+  // in-cluster cannot carry the operator's session token.
+  // Returns only the 4 taxonomy-compliant labels {service,route,method,status_code}.
+  // BANNED labels (world_id, trace_id, user_id, request_id, operator_id)
+  // are never emitted here; layer-2 enforcement is the ServiceMonitor labeldrop.
+  if (url.pathname === '/metrics') {
+    const body = renderMetrics();
+    res.writeHead(200, {
+      'Content-Type': 'text/plain; version=0.0.4; charset=utf-8',
+      'Cache-Control': 'no-cache, no-store',
+    });
+    res.end(body);
+    return;
+  }
+
   // /api/bootstrap: SPA reads the token at load time. Unauthed because
   // anything local that can hit 127.0.0.1:19000 can also read the token
   // file directly (same OS-level privilege boundary). Single-user-only;
@@ -773,6 +794,14 @@ const server = http.createServer(async (req, res) => {
     }));
   }
 
+  // /api/tasks/* — B2.2: @olam/tasks-write-api mount via pgPoolExecutor
+  // adapter. Bearer-auth already applied above; per-request scopes + olamNodeId
+  // come from X-Olam-* headers; RLS enforced server-side per D-B-23.
+  if (url.pathname.startsWith('/api/tasks')) {
+    const handled = await dispatchTasksRoute(req, res, url);
+    if (handled) return;
+  }
+
   // /api/version/status: returns the current version snapshot (baked SHA
   // vs operator's local HEAD). No auth required beyond the existing gate
   // (already applied above). Phase 1 only — detection, no auto-upgrade.
@@ -2178,7 +2207,7 @@ const server = http.createServer(async (req, res) => {
     pathname: url.pathname,
     message: 'B3 ships /health + /api/world/<id>/*. B4-B9 ship the rest.',
   });
-});
+}));
 
 /**
  * @param {import('node:http').ServerResponse} res